<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Force mail user to change password in 90 days</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</h1>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Check out the lightweight on-premises email archiving software developed by iRedMail team: <a href="https://spiderd.io/">Spider Email Archiver</a>.</p>
</div>
<div class="toc">
<ul>
<li><a href="#force-mail-user-to-change-password-in-90-days">Force mail user to change password in 90 days</a><ul>
<li><a href="#how-it-works">How it works</a></li>
<li><a href="#how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</a></li>
<li><a href="#roundcube-plugin-force_password_change">Roundcube plugin: force_password_change</a></li>
<li><a href="#iredadmin-pro-dont-set-password-last-change-date-while-creating-new-user">iRedAdmin-Pro: Don't set password last change date while creating new user</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="how-it-works">How it works</h2>
<p>Roundcube webmail and SOGo groupware are configured to store password change
date while user changed password.</p>
<ul>
<li>For iRedMail SQL backends, the date is stored in SQL database <code>vmail</code>,
  column <code>mailbox.passwordlastchange</code>. If user didn't change password before,
  the password last change date will be set to <code>0000-00-00 00:00:00</code>.</li>
<li>For LDAP backends, it's stored in LDAP attribute <code>shadowLastChange</code> of user
  account. If user didn't change password before, this attribute is absent.</li>
</ul>
<p>iRedAPD has plugin to force mail users to change password before sending email:</p>
<ul>
<li><code>sql_force_change_password</code>: for SQL backends (MySQL, MariaDB and
  PostgreSQL).</li>
<li><code>ldap_force_change_password</code>: for LDAP backends (OpenLDAP and OpenBSD
  built-in LDAP server <code>ldapd(8)</code>).</li>
</ul>
<p>When user trying to send an email, iRedAPD invokes this plugin to check
password last change date stored in SQL/LDAP and compare it with current time,
if it's longer than defined days (parameter <code>CHANGE_PASSWORD_DAYS</code>), this
plugin rejects the smtp session with defined message (parameter
<code>CHANGE_PASSWORD_MESSAGE</code>).</p>
<h2 id="how-to-enable-iredapd-plugin">How to enable iRedAPD plugin</h2>
<p>To enable this plugin, please list the plugin name in iRedAPD config file
<code>/opt/iredapd/settings.py</code>, variable <code>plugins =</code>. For example:</p>
<pre><code class="language-python"># For SQL backends
plugins = [..., 'sql_force_change_password']

# For LDAP backends:
plugins = [..., 'ldap_force_change_password']
</code></pre>
<p>There're three optional settings pre-defined in <code>/opt/iredapd/libs/default_settings.py</code>,
if you want to change them, please copy the parameter names and set proper values
in <code>/opt/iredapd/settings.py</code>:</p>
<pre><code># Force to change password in certain days.
CHANGE_PASSWORD_DAYS = 90

# Reject reason.
# It's recommended to add URL of the web applications which user can login
# to change password in this message. e.g. Roundcube webmail, iRedAdmin-Pro.
CHANGE_PASSWORD_MESSAGE = 'Password expired or never changed, please change your password in webmail before sending email'

# Allow certain users or domains to never change password.
# sample values: ['user@example.com', 'domain.com']
CHANGE_PASSWORD_NEVER_EXPIRE_USERS = []
</code></pre>
<p>Restarting <code>iredapd</code> service is required after changed <code>/opt/iredapd/settings.py</code>.</p>
<h2 id="roundcube-plugin-force_password_change">Roundcube plugin: <code>force_password_change</code></h2>
<p>There's a third-party Roundcube plugin can force user to change password.
<a href="https://bitbucket.org/wainlake/force_password_change">https://bitbucket.org/wainlake/force_password_change</a></p>
<p>Roundcube will <strong>ALWAYS</strong> redirect user to <code>Password</code> page (offered by official
Roundcube plugin password) until user changed the password.</p>
<h2 id="iredadmin-pro-dont-set-password-last-change-date-while-creating-new-user">iRedAdmin-Pro: Don't set password last change date while creating new user</h2>
<p>iRedAdmin-Pro sets password last change date to the time when the account was
created, if you don't want to set the time, please set parameter
<code>SET_PASSWORD_CHANGE_DATE_FOR_NEW_USER</code> to <code>False</code> in config file
<code>/opt/www/iredadmin/settings.py</code>, then restart <code>iredadmin</code> service:</p>
<pre><code>SET_PASSWORD_CHANGE_DATE_FOR_NEW_USER = False
</code></pre><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>